[New Rule] Successful Azure AD MFA fatigue attack

[MichalMarchewka]

Description

Detect unsuccessful (denied) Azure Active Directory Multi-Factor Authentication sign-in attempts followed by successful (approved) sign-in attempt. This may indicate an successful attempt of Azure AD MFA fatigue attack originated by Threat Actor who previously obtained User’s valid credentials (username and password).

Required Info

Target indexes

logs-azure.signinlogs*

Additional requirements

Azure Logs integration (Azure sign-in logs)

Target Operating Systems

Not applicable

Platforms

Azure Active Directory

Tested ECS Version

8.5.0, 8.5.1, 8.5.2

Optional Info

MITRE ATT&CK
Tactic - Credential Access (TA0006)
Technique - Multi-Factor Authentication Request Generation (T1621)

Query

event.dataset : "azure.signinlogs" AND azure.signinlogs.operation_name : "Sign-in activity" AND azure.signinlogs.properties.authentication_requirement : "multiFactorAuthentication" AND azure.signinlogs.result_type : "50140" AND azure.signinlogs.properties.authentication_details.authentication_step_result_detail : ("MFA denied; user declined the authentication" AND "MFA successfully completed" AND NOT "Authentication in progress")

New fields required in ECS/data sources for this rule?

No

Related issues or PRs

References

https://attack.mitre.org/techniques/T1621/
https://www.mandiant.com/resources/blog/russian-targeting-gov-business
https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/
https://portswigger.net/daily-swig/mfa-fatigue-attacks-users-tricked-into-allowing-device-access-due-to-overload-of-push-notifications

Example Data

signal.txt

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.